Light shed on Novell's darkest security secret

Novell explains its Padlock Fix

Common Topics

Updated Novell users are at last able to find out why they needed to apply a patch to fix a GroupWise security problem deemed so serious the firm decided to keep it secret.

Back in August, Novell sent an email to GroupWise 5.5 Enhancement Pack and GroupWise 6 users asking them to apply the Padlock Fix patch to their servers immediately. It wouldn't tell anybody why it was needed, lest hackers exploited the problem on unpatched systems. There was also a patch for client machines, but this was less critical.

Users were left to wonder why the server patch was needed or had to trust Novell that applying it wouldn't mess with their environment. Novell simply warned users about an unstated risk and urged them in the strongest terms to apply a patch.

The Padlock Fix, it can now be revealed, closes a security flaw which might allow usernames and passwords to be sniffed if a hacker manages to put a protocol analyser between a GroupWise server and client. With the username and password in tow, a cracker can easily enter a user's mailbox.

The bug affects GroupWise when it is operating in either live remote or smart caching mode, but not in either online or batch mode (where usernames and passwords are sent encrypted). The Padlock Fix ensures encryption is used in all circumstances.

Novell said in August that it wasn't aware of any system compromises because of the issue, and that remains the case now. But you can say that about instances when Novell has been more open about security issues. The way Novell choose to handle matters in this case guaranteed user unease and negative headlines.

Novell's argument that any information on the problem needed to be kept secret remains unconvincing and calls to mind Microsoft's attempts to restrict the discussion of security vulnerabilities.

If vulnerabilities are kept secret, vendors are less likely to provide a timely fix. Likewise, keeping information from users doesn't necessarily keep it out of the hands of crackers.

Security isn't just the responsibility of software vendors, nor should it be, and the days when this is a viable strategy are long gone. ®

Update

Novell has been in touch to defend its handling of the Padlock Fix security issue.

Jason Williams, GroupWise product manager, said that a record of downloads from its site and feedback from its partners suggests 95 per cent of its "traceable customers" had implemented the fix. He said this fix "vindicated" Novell's approach, though it doesn't mean Novell will handle every security risk in that way from now on.

Each security fix will be subject to a risk analysis, which is the case of Padlock Fix resulted in an unprecedented decision (for Novell) to withhold details of the bug while supplying a patch to customers. Uppermost in Novell's thinking on Padlock Fix was the need to safeguard customer data, to the extent that Novell was happy to keep its customer in the dark lest the information leak into the hands of crackers.

Novell's Canadian partner Kinetic, which discovered the bug, wasn't bound by any confidentiality agreement and could have published it on a full disclosure mailing list at any time, Williams told us. He agreed that even if that happened any system penetration was still unlikely but steadfastly declined to make any comment about the politics of vulnerability disclosure.